I have enabled csrf protection in Codeigniter. Using form_open()
I'm able to produce a hidden csrf value that should be verified in my controller. However I'm not submitting any input fields but just passing a url paramater via the form action.
In my controller I don't need to set validation rules so I have
function delete_post($post_id = '') //post id passed via 3rd URL segment
{
if (is_int($post_id) && valid_post($post_id)) //valid_post() returns true if post id exists
{
$this->Posts_model->delete_post_model($post_id);
redirect('site');
}
}
Csrf protection doesn't seem to work without validation rules. Is it possible to make this work without passing post_id
via a hidden input?
As you can see in the code of the Security class, CSRF protections only works with POST
data (form validation also works with POST
data actually).
You should to this the CodeIgniter way and use a POST
request. If you're using AJAX, then simply change GET
to POST
, and if you're using a form, set the method to post
. If you can't do it then you'll have to fight against CodeIgniter core code, so try to explain why. :)